Report - egwis.com/fileman.pdf

Report Overview

Visitedpublic

2023-09-25 11:20:47

Detections

urlquery

Network Intrusion Detection

Threat Detection Systems

Host Summary

Host	Rank	Registered	First Seen	Last Seen	Sent	Received	IP	Fingerprints
egwis.com	unknown	2006-08-23	2015-09-12 04:52:38	2023-09-24 04:22:09	903 B	227 kB	198.38.82.168

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

No alerts detected

Threat Detection Systems

Public InfoSec YARA rules

Scan Date	Severity	Indicator	Alert
2023-09-25	medium	egwis.com/fileman.pdf	files - file ~tmp01925d3f.exe

OpenPhish

No alerts detected

PhishTank

No alerts detected

mnemonic secure dns

Scan Date	Severity	Indicator	Alert
2023-09-25	medium	egwis.com	Sinkholed
2023-09-25	medium	egwis.com	Sinkholed

Quad9 DNS

Scan Date	Severity	Indicator	Alert
2023-09-25	medium	egwis.com	Sinkholed
2023-09-25	medium	egwis.com	Sinkholed

ThreatFox

No alerts detected

File detected

URL

egwis.com/fileman.pdf

IP / ASN

198.38.82.168

#23352 SERVERCENTRAL

File Overview

File TypePE32+ executable (DLL) (GUI) x86-64, for MS Windows\012- data

Size219 kB (218624 bytes)

MD56f3be0dfe6b5971b16464b7924772445

SHA18af5e975c00f5bdbd843f644a60adbb5f8da8a0d

SHA256b51cb6fa584a073fe95bcf8749cf84363cb431f520a5d97cec92aae88329b7cb

Detections

Analyzer	Verdict	Alert
YARAhub by abuse.ch	malware	files - file ~tmp01925d3f.exe
VirusTotal	malicious	VirusTotal - Scan result 50/66

JavaScript (2)

	URL	From	Size	First Seen	Last Seen
	resource://pdf.js/build/pdf.js	ScriptElement	409 kB	2023-04-05	2024-08-21
URL resource://pdf.js/build/pdf.js IP / ASN 0.0.0.0 #0 Introduced by ScriptElement Embedded false Resource Info First Seen 2023-04-05 Last Seen 2024-08-21 Times Seen 1908 Size 409 kB (408799 bytes) MD5 20e6c586f29097f2e5cdae968750eadd SHA1 3c9686f236f18fccc03573b414a7cc7ba80781c0 SHA256 242bb4bf9896928a152ef1bbea644e9832f698a04fd62e461582b648b040007e Format Code Loading...

	resource://pdf.js/web/viewer.js	ScriptElement	401 kB	2023-04-05	2024-08-21
URL resource://pdf.js/web/viewer.js IP / ASN 0.0.0.0 #0 Introduced by ScriptElement Embedded false Resource Info First Seen 2023-04-05 Last Seen 2024-08-21 Times Seen 1909 Size 401 kB (400781 bytes) MD5 7c1f8f493494e1fe92155da87e4196e2 SHA1 fba5c49f80054970a27678e4dd6c55ef9877d1a0 SHA256 83ffd93dd0e7f54108fad717603bf4494ab809189835a151fab951c95d037867 Format Code Loading...

HTTP Transactions (2)

URL IP Response Size

GET egwis.com/fileman.pdf

198.38.82.168

200 OK

219 kB

URL User Request GET HTTPS

egwis.com/fileman.pdf

IP / ASN

198.38.82.168

#23352 SERVERCENTRAL

Requested byN/A

Resource Info

File typePE32+ executable (DLL) (GUI) x86-64, for MS Windows\012- data

First Seen2023-04-21

Last Seen2023-09-26

Times Seen27

Size219 kB (218624 bytes)

MD56f3be0dfe6b5971b16464b7924772445

SHA18af5e975c00f5bdbd843f644a60adbb5f8da8a0d

SHA256b51cb6fa584a073fe95bcf8749cf84363cb431f520a5d97cec92aae88329b7cb

Certificate Info

IssuerLet's Encrypt

Subjectegwis.com

Fingerprint2E:52:0B:3E:7E:D1:50:FD:B0:71:68:6A:BB:6A:56:75:E0:19:37:E6

ValiditySun, 27 Aug 2023 23:11:39 GMT - Sat, 25 Nov 2023 23:11:38 GMT

Detections

Analyzer	Verdict	Alert
YARAhub by abuse.ch	malware	files - file ~tmp01925d3f.exe
mnemonic secure dns	malicious	Sinkholed
Quad9 DNS	malicious	Sinkholed
VirusTotal	malicious	VirusTotal - Scan result 50/66

HTTP Headers

GET /fileman.pdf HTTP/1.1
Host: egwis.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Upgrade-Insecure-Requests: 1
Connection: keep-alive
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
last-modified: Thu, 20 Jan 2022 17:04:34 GMT
etag: "6a80086-35600-5d6067f1a22c3"
accept-ranges: bytes
content-length: 218624
content-type: application/pdf
date: Mon, 25 Sep 2023 11:20:30 GMT
server: Apache/2.4.57 (cPanel) OpenSSL/1.1.1u mod_jk/1.2.41 mod_bwlimited/1.4 mod_fcgid/2.3.9 Phusion_Passenger/6.0.7
X-Firefox-Spdy: h2

GET egwis.com/favicon.ico

198.38.82.168

200 OK

7.5 kB

URL GET HTTPS

egwis.com/favicon.ico

IP / ASN

198.38.82.168

#23352 SERVERCENTRAL

Requested byresource://pdf.js/web/viewer.html

Resource Info

File typeMS Windows icon resource - 1 icon, 64x28, 32 bits/pixel\012- data

First Seen2023-04-21

Last Seen2023-09-26

Times Seen50

Size7.5 kB (7454 bytes)

MD5893115734c5c03a86b1c433f28c95a95

SHA1596492779b902afc092a190367971166b42d6cac

SHA2560824ca0c0936d3bb01bc3942f68ac58e299c3a4e6ec0f084f162b2e8c8aaa07c

Certificate Info

IssuerLet's Encrypt

Subjectegwis.com

Fingerprint2E:52:0B:3E:7E:D1:50:FD:B0:71:68:6A:BB:6A:56:75:E0:19:37:E6

ValiditySun, 27 Aug 2023 23:11:39 GMT - Sat, 25 Nov 2023 23:11:38 GMT

Detections

Analyzer	Verdict	Alert
mnemonic secure dns	malicious	Sinkholed
Quad9 DNS	malicious	Sinkholed

HTTP Headers

GET /favicon.ico HTTP/1.1
Host: egwis.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://egwis.com/
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

HTTP/2 200 OK
last-modified: Sat, 03 Jun 2023 11:35:00 GMT
etag: "6a80085-1d1e-5fd380f4dc15b"
accept-ranges: bytes
content-length: 7454
content-type: image/x-icon
date: Mon, 25 Sep 2023 11:20:31 GMT
server: Apache/2.4.57 (cPanel) OpenSSL/1.1.1u mod_jk/1.2.41 mod_bwlimited/1.4 mod_fcgid/2.3.9 Phusion_Passenger/6.0.7
X-Firefox-Spdy: h2